Dan Berger, the executive vice president of government affairs at the National Association of Federal Credit Unions, advocated on Monday several measures intended to help credit unions avoid security breaches.
Berger praised the House of Representatives for passing cybersecurity measures under the Cyber Intelligence Sharing and Protection Act.
He pointed to the importance of data security to credit unions and recommended requiring merchants and other entities that handle sensitive financial data to more actively participate in helping consumers recover from identity and data theft.
“Retailers and many other entities that handle sensitive personal financial data are not subject to the same standards [as credit unions], and they become victims of data breaches and data theft all too often,” Berger said.
Berger suggested that burden of proof for lack of fault in data breaches should lie on retailers, regulations on data retention be enforced more consistently, consumers be notified when data breaches occur, merchants publish data security policies for consumers to see, credit union expenditures for breaches be reduced, retailers and other entities be subject to rules like those under Gramm-Leach-Bliley and account servicers inform financial institutions about potential security breaches.
“Every time consumers choose to use plastic cards for payments at a register or make online payments from their accounts, they unwittingly put themselves at risk,” Berger said. “Many are not aware that their financial and personal identities could be stolen or that fraudulent charges could appear on their accounts, in turn damaging their credit scores and reputations. Consumers trust that the merchants and retailers collecting this type of information will, at the very least, make a minimal effort to protect them from such risks. Unfortunately, this is not always true.”
Berger also said while many financial institutions are already subject to Gramm-Leach-Bliley’s data security standards, retailers and other entities are not, which could result in the theft of personal data and information.
“Financial institutions bear a significant burden as the issuers of payment cards used by millions of consumers,” Berger said. “Credit unions suffer steep losses in re-establishing member safety after a data breach occurs. They are often forced to charge off fraud-related losses, many of which stem from a negligent entity’s failure to protect sensitive financial and personal information or the illegal maintenance of such information in their systems. Moreover, as many cases of identity theft have been attributed to data breaches, and as identity theft continues to rise, any entity that stores financial or personally identifying information should be held to minimum standards for protecting such data.”